send logs to custom server by socket

Zeek
1

Hello:

If I don't want log to disk, and want send json logs to a remote
server. When some code like this Log::write(HTTP::LOG, c$http); it was
send http log to my server. Dose this mean I need change
src/logging/writters/ascii ? Or I should add a new writer something
like socket? I don't want change the bro scripts already have, so
Log:write(HTTP::LOG, c$http) should don't change. Or I think is
add a config like

LOG_SERVER_IP = 192.168.100
LOG_SERVER_PORT = 8087

and all the http , notice and so on all send to the server.
Any suggest? Or does somebody already done before?

2

I believe you likely want functionality that technically exists in Master.

Check out remote logging with Broker... https://www.bro.org/sphinx-git/frameworks/broker.html#remote-logging

I haven't played with that yet, so I can't be certain it does precisely what you want...

Alternatively, you could just delete the logs after they rotate and send the logs via syslog with rsyslog, or your syslog daemon of choice.

Let me know if that helps!

3

Is this a bro only broker or does it communicate amqp ?

4

The bro log should send to a stream handing process, may be kafka or
storm for preprocessing the logs .(Which I need to redefine the logs
field , and add more precise fields in one proto like http). So
directly log to elasticsearch may be not a good method.

Also, does bro supports to understand code by switch some macro , So I
can see (for example how a packet was handing, from begging to end),
I don't want make debug-version and step by step in gdb to see which
func was called. Something like a debug log of call orders?